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Timed model checking has been extensively researched in recent years. Many new formalisms with 
time extensions and tools based on them have been presented. On the other hand, Explicit-Time 
Description Methods aim to verify real-time systems with general untimed model checkers. Lamport 
presented an explicit-time description method using a clock-ticking process (Tick) to simulate the 
passage of time together with a group of global variables for time requirements. This paper proposes a 
new explicit-time description method with no reliance on global variables. Instead, it uses rendezvous 
synchronization steps between the Tick process and each system process to simulate time. This new 
method achieves better modularity and facilitates usage of more complex timing constraints. The two 
explicit-time description methods are implemented in DiVinE, a well-known distributed-memory 
model checker. Preliminary experiment results show that our new method, with better modularity, is 
comparable to Lamport's method with respect to time and memory efficiency. 

1 Introduction 

Model checking is an automatic analysis method which explores all possible states of a modeled sys- 
tem to verify whether the system satisfies a formally specified property It was popularized in industrial 
applications, e.g., for computer hardware and software, and has great potential for modeling and moni- 
toring complex and distributed business processes. Timed model checking, the method to formally verify 
real-time systems, is attracting increasing attention from both the model checking community and the 
real-time community. However, general model checkers like SPIN |14| can only represent and verify 
the qualitative relations between events, which constrains their use for real-time systems. The quantified 
time notions, including time instant and duration, must be taken into account for timed model checking. 
For example in a safety critical application such as in an emergency department, after an emergency case 
arrives at the hospital, general model checking of hospital protocol can only verify whether "the patient 
receives a certain treatment", but to save the patient's life, it should be verified whether the protocol 
ensures that "the patient receives a certain treatment within 1 hour". 

Many formalisms with time extensions have been presented as the basis for timed model checkers. 
A typical example is timed automata |5|, which is an extension of finite-state automata with a set of 
clock variables to keep track of time. Lamport [161 calls this approach as Implicit-Time Description 
Methods. UPPAAL HI is a well-known timed-automata-based model checker; it has been successfully 
applied to various real-time controllers and communication protocols. Conventional temporal logics 
like Linear Temporal Logic (LTL) or Computation Tree Logic (CTL) must be extended 1 6 1 to handle 
the specification of properties of timed automata. The foundation for the decidability results in timed 
automata is based on the notion of region equivalence over clock assignment |[9|. Models in a timed- 
automata-based model checker can not represent which time instant a transition is executed at within 
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a time region; such model checkers can only deal with specification involving a time region or a pre- 
specified time instant. However, many real-time systems, especially those with pre-emptive scheduling 
features, need to record the time instant when the pre-emption happens for succeeding calculation. For 
example, triage is widely practiced in medical procedures; the caregiver C may be administering some 
required but non-critical treatment on patient A when another patient B presents with a critical situation, 
such as a cardiac arrest. C then must move to the higher priority task of treating B, but it is necessary to 
store the elapsed time of A's treatment to determine how much time is still needed or the treatment needs 
to be restarted. The stop-watch automata H, an extension of timed autamata, is proposed to tackle this; 
unfortunately as Krcal and Yi discussed in ifTSll . since the reachability problem for this class of automata 
is undecidable, there is no guarantee for termination in the general case. 

On the other hand, Lamport fl^l advocated the Explicit-Time Description Methods which aim to 
use ordinary model checkers to realize timed model checking. He presented an explicit- time description 
method using a clock-ticking process (Tick) to simulate the passage of time and a pair of global variables 
to store the time lower and upper bounds for each modeled system process. The main advantage of the 
explicit-time approach is that it does not need specialized languages or tools for time description. The 
method has been implemented with popular model checkers SPIN (sequential) 1 14] and SMV 1 17|. Re- 
cently, Van den Berg et al. ifTOl successfully applied LEDM to verify the safety of railway interlockings 
for one of Australia's largest railway companies. The additional benefit of the explicit-time approach 
is that as it explicitly records the passage of time so the current time instant can be accessed easily, 
the pre-emptive scheduling problem discussed in the previous paragraph that causes difficulty using the 
timed-automata-based model checkers can be modeled naturally with explicit-time description methods. 

In this paper, we propose a new explicit-time description method called Sync-based Explicit-time 
Description Method (SEDM), which does not rely on global variables; instead it uses rendezvous syn- 
chronization steps between the Tick process and each system process. After the Tick process completes 
synchronization steps with every system processes, the global clock increments by one time unit. While, 
as Lamport commented II16II . ''The approach (LEDM) cannot be used in process-based languages and 
formalisms with no explicit global state, such as CCS, CSP, Petri nets, streams and I/O automata", 
SEDM can do exactly that. As an added advantage, SEDM allows the timing constraints to be defined 
either globally or locally so the whole system can be modeled in a way that enhances its modularity. We 
choose DiVinE [7], a well-known distributed model checker, because it accommodates the up-to-date 
multi-core architecture, i.e., clusters of multi-core CPU's and it has been tested successfully in large-scale 
clusters, even in a large-scale optical grid |19]. Experimental results show that SEDM is comparable to 
LEDM with respect to time and memory efficiency so SEDM can be used in place of LEDM. 

The remainder of the paper is organized as follows. After a brief introduction to DiVlNE, Section 
2 presents the LEDM with its DiVlNE implementation. The new method SEDM with its DiVlNE 
implementation is presented in Section 3. Section 4 describes our experiments and the results. Section 5 
concludes the paper. 



2 Preliminaries 

The syntax outlined in l2.1[ being incomplete, is meant for the presentation of the time-explicit description 
methods; the complete description can be found in 131. 
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2.1 The DiVinE Model Checker and its ModeUng Language 

DiVinE is an explicit-state LTL model checkers based on the automata-based procedure by Vardi and 
Wolper ITSl . The property to be specified is described by an LTL formula, both the system model and 
the LTL formula are represented by automata, then the model checking problem is reduced to detecting 
in the combined automaton graph whether there is an accepting cycle, i.e., a cycle in which one of the 
vertices is marked "accepting". With the distributed algorithms to assign different portions of the state 
space to be explored by different machines, DiVinE can: (1) verify much larger system models; (2) 
finish the verification in significantly less time (in comparison with the well-known explicit-state LTL 
model checker SPIN). 

DVE is the modeling language of DiVinE. Like in Promela (the modeling language of SPIN), a 
model described in DVE consists of processes, message channels and variables. Each process, identified 
by a unique name procid, consists of a list of local variable declarations, process states declarations, 
initial state declaration and a list of transitions. A transition transfers the process state from stateidi to 
stateid2, the transition may contain a guard (which decides whether the transition can be executed), a 
synchronization (which communicates data with another process) and effects (which assigns new values 
to local or global variables). So we have 

Transition : := stateidi -> stateid2 { Guard Sync Effect } 

The Guard contains the keyword guard followed by a boolean expression and the Effect contains 
the keyword effect followed by a list of assignments. The Sync follows the denotation for communi- 
cation in CSP, ' !' for the sender and '?' for the receiver. The synchronization can be either asynchronous 
or rendezvous. The chanid is the channel for the synchronization; value(s) can be transferred in it. So 
we have 

Sync : : = sync chanid ! SyncValue | chanid? SyncValue 

The property to be specified can be written as an LTL formula and a corresponding property pro- 
cess can be automatically generated. Modeled system processes and the property process progress syn- 
chronously, so the latter can observe the system's behavior step by step and catch errors. 

2.2 Lamport ExpUcit-time Description Method 

The passage of time and timed quantified values can be expressed in untimed languages and properties 
to be specified can be expressed in conventional temporal logics. In LEDM, current time is represented 
with a global variable now that is incremented by an added Tick process. As we mentioned earlier, 
ordinary model checkers can only deal with integer variables, and the real-time system can be modeled 
in discrete-time only using an explicit-time description. The Tick process increments now by 1. 

Placing lower-bound and upper-bound timing constraints on transitions in processes is the common 
way to model real-time systems. Figure [T] shows a simple example of only two transitions, transition S: 
stateidi -> stateid,„is followedby the transition A: stateid,,, -> if afe/t/^. An upper-bound timing con- 
straint on when a transition A: stateidm -> stateid„ must occur is expressed by a guard on the transition 
in the Tick process so as to prevent an increase in time from violating the constraint. A lower-bound con- 
straint on when the transition A may occur is expressed by a guard on A so it cannot be executed earlier 
than it should be. Each system process Pi has a pair of count-down timers as global variables ubtimert 
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Figure 1 : States and timeline for process Pj 



and Ibtimerj for the timing constraints on its transitions. A large enough integer constant INFINITY is 
defined; those upper bound timers with the value of INFINITY are not active and the Tick process does 
not decrement them. All upper bound timers are initialized to INFINITY and all lower bound timers are 
initialized to zero. For transition A, the timers will be set to the correct values by its preceding transition 
S. As now is incremented by 1, each non-INFINITY ubtimer and non-zero Ibtimer is decremented by 
1. 

Initially, {ubtimer i, Ibtimerj) are set to (INFINITY, 0). The transition S is executed at time in- 
stant tQ, and {ubtimer i ^Ibtimer i) are set to {12,^1). After Ti time units, i.e., at time instant ti when 
{ubtimer i, Ibtimer i) is equal to (T2 — Ti , 0), the transition A is enabled. Both timers will be reset or set to 
new time bounds after the execution of A. If the transition A is still not executed when the time reaches 
t2 and ubtimert is equal to 0, the transition in the Tick process is disabled, which means the clock has to 
stop here. Only after ubtimeri is set by transition A, the Tick process can start again. In this way, the time 
upper-bound constraint is realized. 

The Tick process and the system process Pi in DVE are described in Figure [2] and Figure [3l 

process P_Tick { 
state tick; 
init tick; 
trans 

tick -> tick { guard all ubtimers >0; 



We observe that the value of now is limited by the size of type integer and careless incrementing 
can cause overflow error. This can be avoided by incrementing now using modular arithmetic, i.e., setting 
now = {now +1) mod MAXIMAL (MAXIMAL is the maximal integer value supported by the model checker). 
The value limit can also be increased by linking several integers, i.e., every time mod MAXIMAL 

becomes zero again, int2 increments by 1, and so on. Note that the variable now is only incremented in 
the Tick process and does not appear in any other process. So for general system models in which time 



effect now = now + 1, 

decrements all timers; } ; 



} 



Figure 2: Tick process in DVE for LEDM 
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process P_i { 

state state_l, state_m, state_n; 

init . . . ; 

trans 

... -> . . . ; 

state_l -> statejn { effect set timers for transitionA;} , 

statejn -> stateji { guard lbtinier[/]==0; effect ... ; }, 
... -> . . . ; 

} 

Figure 3: System process Pi in DVE for LEDM 



lower and upper bounds suffice, tlie variable now should be removed. 



3 The New Sync-based Explicit-Time Description Method 

This section presents the new SEDM, followed by two examples to illustrate its modularity advantage 
and capability to model pre-emptive scheduling problems. 

3.1 The Method 

In the new SEDM, the passage of time is also simulated by an additional Tick process. In one time unit, 
it completes synchronization steps with each system process. The current time is the count of previous 
synchronization steps, so all the timing variables can be defined either locally or globally. In this way, 
local timers can be added or removed without affecting the model globally and good modularity can be 
achieved. Note that the now variable can also be removed for a similar reason, but if any system process 
contains any enabling condition that is dependent on a certain time instant, it is safe to define a now 
variable locally. 

For the same example in Figure[TJ Pj has local timers {ubtimer, Ibtimer). For the transition A: stateidm 
-> stateidn, each of the timers will be set to the correct values (t2,Ti) by its preceding transition, S\ 
stateidi -> stateidm- The execution is similar to Lamport's method except: (1) the timers are decre- 
mented locally by 1 after each synchronization with the Tick process; (2) if the transition A is still not 
executed when the time reaches t2 and ubtimeri is equal to 0, there is no synchronization step before 
executing transition A. Because the Tick process has to synchronize with each process for each tick, it 
must wait for 7^'s next sync statement. 

The Tick process, for two system processes, in DVE is described in Figured The local ubtimer and 
Ibtimer can be defined and used in a system process as in Figure [5] 

Readers may argue against the usage of round-robin scheduling of all synchronization steps in one 
tick: P_l always ticks before P_2. Actually, a time model to be verified is built to cover every possible 
execution of all system steps, which can be assured in SEDM by separating transitions for system steps 
and transitions for time synchronization in all system processes. Therefore, we do not need to cover 
every possible sequence of all synchronization steps, one sequence is enough for the verification. 

Readers may also be concerned about the size of the state space and time efficiency as SEDM adds 
N synchronization steps for every time unit, A'^ being the number of system processes. However, the 
experimental results (see Section|4l) show that as the model grows bigger, the time and memory efficiency 
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process P_Tick { 

state tickl, tick2; 
init tickl; 
trans 

tickl -> tick2 { sync chanl ! ; }, 
tick2 -> tickl { sync chan2!; }; 

} 

Figure 4: Tick process in DVE for SEDM 

process P_i { 

int ubtimer, Ibtimer; 

state state_l, statejn, state_ii, 

init . . . ; 

trans 

-> ... ; 

state_l -> statejn { effect set timers for transitionA ; }, 

state_m -> statejn { guard ubtimer>0; sync chanl? ; 

effect decrement timers by I ; }, 
statejn -> stateji { guard lbtimer==0 && . . . ; . . . ; }, 
-> ... ; 

} 



Figure 5: System process Pj in DVE for SEDM 



and size of state space are comparable to those of LEDM. 

3.2 An Example with Complex Timers 

As the time can be accessed locally with SEDM, complex timing constraints, e.g., fixed time delay 
(the special case when ubtimer==lbtinier), multiple independent (possibly overlapping) timers and 
dependent timers, can be expressed more conveniently than with LEDM because with the latter method 
new global variables must defined and the Tick process must be updated. 

Figure [6] describes five transitions A,B,C,D,E in Pi (see the upper part of the figure) and their asso- 
ciated timeline. Transition A: stateidm -> stateid,, has a fixed time delay, Tq; transition B: stateidn -> 
stateido has upper and lower bounds, {T2,t:i); transition C: stateidn -> stateidp has upper and lower 
bounds, (t4,T3). After the execution of transition A, there is a time period, (f3,f4), during which both 
transition B and C are enabled and chosen non-deterministically. Transition D: stateido -> stateidq and 
E: stateidp -> stateidq have the upper and lower bounds which are dependant on the execution time of 
B or C. The process Pi in DVE is described in Figure [T] 

3.3 An Example of Pre-emptive Scheduling 

Following the triage example described in Section [H we consider a system of multiple parallel tasks with 
different priorities, assuming that the right to an exclusive resource is deprivable, i.e., a higher priority 
task B may deprive the resource from the currently running task A. In this case, the elapsed time of A's 
execution must be stored for a future resumed execution. 
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Figure 6: States and timeline for complex timers using SEDM 



process P_i { 

• • • J 

trans 

-> ... ; 

state_l -> statejn { effect f ixdelay=To; }, 

state_m -> statejn { guard fixdelay>0; sync chanl?; 

effect f ixdelay=f ixdelay-1 ; }, 
statejn -> state ji { guard f ixdelay==0 ; . . . ; 

effect ubtimerl=T3 , lbtimerl=Ti , 
ubtimer2=T4,lbtinier2=T2; }, 
stateji -> stateji { guard ubtimer2>0; sync chanl?; 

effect decrement timers by 1;}, 
stateji -> state_o { guard ubtimerl>0 && lbtimerl==0 ; ...;}, 
state_Q -> state_p { guard ubtinier2>0 && lbtinier2==0 ; ...;}, 
-> ... : 



Figure 7: System process Pi in DVE with complex timers 



Figure [8] shows a portion of a state transition diagram for task A, assuming A needs the exclusive 
resource R for 10 time units; when R becomes available at time instant to, A starts its execution by 
entering the state Exec; at time instant t\, B deprives A's right to R, and A changes to the state Deprived 
and stores the elapsed t\ — to time units; when R becomes available again, A resumes its execution to 
state Exec for the remaining 10 — (fi — fo) units. Implementation of this example using any one of the 
three explicit-time description methods is straightforward. Figure |9]shows the process for task A in DVE 
using SEDM (assuming A has the lowest priority). 
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Figure 8: An Example of Pre-emptive Scheduling 

byte isROccupied=0; //O means available 
process A { 

default (Tag, /agA) 

int timeToGo=10; 

state s_i, s_Exec, s_Deprived, ...; 

init . . . ; 

trans 

... -> ... ; 

s_i -> s_Exec { guard isROccupied==0; 

effect isROccupied=Tag, ltimer=timeToGo; 
s_Exec -> s_Exec { guard ltimer>0; sync chanl?; 

effect ltimer=ltimer-l ; }, 
s_Exec -> S-Deprived { guard isROccupied=Tag && ltimer>0; 

effect timeToGD=ltimer ; }, 
s_Deprived -> s_Deprived { guard isROccupied!=0; sync chanl?; } 
s_Deprived -> s_Exec { guard isROccupied==0; 

effect isROccupied=Tag, ltimer=timeToGo; }, 
s_Exec -> sJIext { guard ltimer==0; 

effect isROccupied=0 ; }, 

... -> ... ; 

} 

Figure 9: Process in DVE for Pre-emptive Scheduling Example using SEDM 



4 Experiments in DiVinE 

For the convenience of comparison, we experiment with the Fischer's mutual exclusion algorithm, a 
well-known benchmark for timed model checking, which is also used by Lamport in his experiments 
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|fT6l . The brief description of the algorithm is adapted from |fT6l . Our experiments model the algorithm 
in DiVinE using LEDM and SEDM, and compare the time and memory efficiency and size of state 
space. 

Fischer's algorithm is a shared-memory, multi-threaded algorithm. It uses a shared variable x whose 
value is either a thread identifier (starting from 1) or zero; its initial value is zero. For the convenience of 
specification of the safety property in our experiments, we use a counter c to count the number of threads 
that are in the critical section. The program for thread t is described in Figure [TOl 

ncs: noncritical section; 
a: wait until x = 0; 

b: X := t; 

c:ifx^t then goto a; 
cs: critical section; 
d: X := 0; goto ncs; 

Figure 10: Program of thread t in Fischer's algorithm 

The timing constraints are, first, that step b must be executed at most 5 time units (as a upper bound) 
after the preceding execution of step a; and second, that step c cannot be executed until at least e time 
units (as a lower bound) after the preceding execution of step b. For step c, there is an additional upper 
bound Supper to ensure fairness. For convenience, we use the same value for three constraints, i.e., 
d = e = Supper = T. The algorithm is tested for 6 threads. The safety property, "no more than one 
process can be in the critical section", is specified as G{c < 2) for the model. 
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Figure 11: Time (in seconds), number of states and memory usage (in MB) for Fischer's algorithm using 
two explicit-time methods in DiVlNE with 16 CPUs 

The version 0.8.1 of the DiVlNE-Cluster is used. This version has the new feature of pre-compiling 
the model in DVE into dynamically linked C functions; this feature speeds up the state space generation 
significantly. According to the published experimental results of DiVlNE 1 19], we choose the OWCTY 
{One Way to Catch Them Young) algorithm for better time efficiency as our example property is known 
to hold. 

All experiments are executed on the Mahone cluster of ACEnet [IJ, the high performance computing 
consortium for universities in Atlantic Canada. The cluster is a Parallel Sun x4100 AMD Opteron (dual- 
core) cluster equipped with Myri-lOG interconnection. Pai^allel jobs are assigned using the Open MPI 
library. 
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Figure[TT]compares time and memory efficiency for tlie two explicit-time description metfiods in botii 
versions of DiVlNE witii 16 CPUs; it also shows how the size of state spaces increase as T increases. 

While SEDM has the bigger number of states for all models, as the model becomes larger, the time 
increases more slowly than with LEDM: time increases by a factor of 343 as T increases from 2 to 
16 with LEDM; time increases by a factor of 204 as T increases from 2 to 16 with SEDM; It is also 
interesting to find that starting from T = 10, the time spent with SEDM is less than the time with LEDM. 

Because SEDM adds N synchronization steps (recall that A'^ is the number of system processes) for 
each time units, the size of state space of the model generated by our method is bigger than that by 
Lamport's method. But as the model becomes bigger, the difference becomes insignificant. For T = 2, 
states(LEDM) ~^-^^' ''^hile for T = 16, the two numbers of state size become comparable. 

The memory usages of both methods are comparable. Because OWCTY algorithm requires that the 
whole state space fit into the (distributed) memory, enough memory resource must be allocated in order 
for the verification to succeed. 

Note that when increasing the number of CPUs an added portion of memory needs to be counted for 
increasing inter-node communications. 



5 Discussion and Conclusion 

In this paper, we propose a new method, SEDM using rendezvous synchronization steps, so the timing 
constraints can be defined either globally or locally, compared to the heavy reliance on global variables in 
LEDM. Consequently, SEDM makes it possible to model discrete time with some process-based untimed 
languages without explicit global variables. With SEDM, real-time systems can be modeled with a high 
degree of modularity and more complex timing constraints can be modeled more conveniently. 

As Lamport mention in lfT6l . the explicit-time description methods are not designed to beat special- 
ized timed model checkers like UPPAAL: it is obvious that time-automata-based model checkers can 
handle continuous time semantics while EDMs can only deal with discrete time semantics. However, 
EDMs aie intended to offer more options for the verification of real-time systems. First, explicit-time 
description methods provide a solution for accessing and storing the current time instant for the pre- 
emptive scheduling models. Second, while the size of state space in an explicit-time method grows 
along with the number of time units, it is less sensitive to the number of concurrently running timers. 
This suggests that the explicit-time method implemented in an un-timed model checker may verify more 
complex system behaviors. Third, as Van den Berg et al. mention in |10], in some real-world scenarios 
when significant resources already have been invested into the model for a general model checker such 
as SPIN or SMV, it is much easier and therefore preferable to extend the existing model to represent 
time notions rather than to re-model the entire system for a specialized timed model checker. Last but 
not least, explicit-time description methods enable the usage of existing large-scale distributed model 
checkers such as DiVlNE so that we can verify much bigger real-time systems. 

This research is part of an ambitious research and development project. Building Decision-support 
through Dynamic Workflow Systems for Health Care 1 12|. Verification that the health care process design 
meets its specifications and monitoring the process to check specifications for each instance (patient) are 
essential. Real world health care workflow processes are highly dynamic and local changes are the norm. 
In addition to work in verification, members of our research group [2J are currently investigating paral- 
lel and distributed approaches to reasoning about structured knowledge bases (ontologies). Interfacing 
these reasoners and distributed model checkers with workflow engines will permit runtime monitoring of 
complex, highly variable and safety critical processes. Currently, we are using explicit-time description 
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methods to model and verify real-world health care processes. 

As a continuous effort in practical timed model checking, we also study the efficiency problem of 
explicit-time descriptions and have made some progress based on optimizing the tick process [20L so 
that EDMs can be applied to problems of larger scale. Dutertre and Sorea |[T3l and Clarke et al. lITTI 
recently presented two different abstraction techniques for timed automata and the abstraction outcome 
can be verified using un-timed model checkers. We also intend to study the possibility of this kind of 
technique in distributed model checkers. 
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